Go Up
You are here: ConfigurationConfigure IT InfrastructureOracle DatabaseCreate and Configure Oracle Wallet

Create and Configure Oracle Wallet

Oracle Wallet is a file that stores database authentication and signing credentials. It allows users to securely access databases without providing credentials to third-party software (for example, Netwrix Auditor), and easily connect to Oracle products, including located in the clouds (e.g. Autonomous Data Warehouse).

A configured Wallet consists of two files, cwallet.sso and ewallet.p12 stored in a secure Wallet directory

To allow Netwrix Auditor to work with Oracle Wallets, do the following:

  1. Create Oracle Wallet
  2. Install Oracle Instant Client
  3. Configure Oracle Instant Client for HTTP Proxy Connections
  4. Update Existing Oracle Client Installation

Create Oracle Wallet

There are multiple methods to create Oracle Wallet files. For example:

Install Oracle Instant Client

To perform clear install of Oracle Instant Client, follow the instructions below. If you have Oracle Client installed, refer to Update Existing Oracle Client Installation section for more information.

  1. Download the appropriate package from Oracle website: Instant Client Packages. Netwrix recommends installing the latest available version but the product is compatible with version 12 and above.
  2. Download client credentials and store the file in a secure location. See Download Client Credentials (Wallets) for more information.

  3. Unzip your credentials file into a secure location.
  4. Navigate to a folder where you unzipped your credentials and locate the sqlnet.ora file.
  5. Replace the "?/network/admin" parameter with the name of the folder containing client credentials. For example:

    Windows-based platforms:

    WALLET_LOCATION = (SOURCE = (METHOD = file) (METHOD_DATA = (DIRECTORY="D:\\myapp\\atp_credentials")))

    SSL_SERVER_DN_MATCH=yes

  6. Create the TNS_ADMIN environment variable and set it to the location of the credentials file.

    NOTE: This variable is used to change the directory path of Oracle Net Services configuration files from the default location of ORACLE_HOME\network\admin to the location of the secure folder containing the credentials file you saved in Step 2. Set the TNS_ADMIN environment variable to the directory where the unzipped credentials files are, not to the credentials file itself.

  7. Navigate to a folder where you unzipped your credentials and locate the tnsnames.ora file. The file is used to map connection information for each Oracle service to a logical alias.

    Review sample tnsnames.ora file where myOracle – is a logical alias for the wallet:

    myOracle =

    (description=

    (address=((ADDRESS = (PROTOCOL = TCP)(HOST = server1)(PORT = 1521))

    (CONNECT_DATA =

    )

    )

    NOTE: Keep in mind that the wallet alias in the configuration file must equal to Netwrix Auditor item name.

Configure Oracle Instant Client for HTTP Proxy Connections

If the client is behind a firewall and your network configuration requires an HTTP proxy to connect to the internet, perform the following steps to update the sqlnet.ora and tnsnames.ora files.

NOTE: HTTP proxy connections are available starting with Oracle Instant Client 12.2.0.1 or later.

  1. Add the following line to the sqlnet.ora file to enable connections through an HTTP proxy:

    SQLNET.USE_HTTPS_PROXY=on

  2. Open the tnsnames.ora. file and add the following HTTP proxy connection definitions:

    • https_proxy — specify the proxy server hostname. For example, proxyhostname.
    • https_proxy_port — specify port used for HTTP proxy connection. For example, 80.

    Review configuration example:

    ATPC_high =

    (description=

    (address=

    (https_proxy=proxyhostname)(https_proxy_port=80)(protocol=tcps)(port=1522)(host=atpc.example.oraclecloud.com)

    )

    (connect_data=(service_name=atpc1_high.atpc.oraclecloud.com)

    )

    (security=(ssl_server_cert_dn="atpc.example.oraclecloud.com,OU=Oracle BMCS US,O=Oracle Corporation,L=Redwood City,ST=California,C=US")

    )

    )

NOTE: Configuring sqlnet.ora and tnsnames.ora for the HTTP proxy may not be enough depending on your organization's network configuration and security policies. For example, some networks require a username and password for the HTTP proxy. In such cases, contact your network administrator to open outbound connections to hosts in the oraclecloud.com domain using port 1522 without going through an HTTP proxy.

Update Existing Oracle Client Installation

Netwrix assumes that you have sqlnet.ora and tnsnames.ora files and the TNS_ADMIN environment variable.

Do the following:

  1. Update your sqlnet.ora file. Example:

    WALLET_LOCATION = (SOURCE = (METHOD = file) (METHOD_DATA = (DIRECTORY="/home/atpc_credentials")))

  2. Copy the entries in the tnsnames.ora file provided in the Autonomous Transaction Processing wallet to your existing tnsnames.ora file.

See also:

Go Up